Impact
An incorrect implementation in Chrome’s password handling module that existed before version 149.0.7827.155 permits a remote attacker to leak cross‑origin data through a specially crafted HTML page. The flaw involves an insecure trust boundary (CWE‑863) and insufficient data validation in passwords (CWE‑940). Based on the description, it is inferred that the browser erroneously treats data from one origin as safe for use in another, enabling confidential user data to be accessed by malicious pages.
Affected Systems
All desktop installations of Google Chrome older than 149.0.7827.155 are impacted, regardless of operating system, because the vulnerability originates in the core password component shipped with the browser.
Risk and Exploitability
With a CVSS score of 4.3 the weakness falls into the medium‑severity range. The reported EPSS is less than 1 % and the issue is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation at this time. Based on the description, it is inferred that the attack requires the victim to visit a malicious web page that supplies a crafted form, so the primary vector is client‑side phishing or drive‑by attacks. The flaw stems from an insecure trust boundary (CWE‑863) and insufficient data validation (CWE‑940), allowing the browser to treat data from one origin as safe for another and leading to cross‑origin data leakage. While the impact is confined to confidentiality, it could enable attackers to harvest stored passwords and associated data for malicious use.
OpenCVE Enrichment
Debian DSA